(define-module (system base-system) #:use-module (metznet) #:use-module (ice-9 exceptions) #:use-module (nongnu system linux-initrd) #:use-module (nongnu packages linux) #:use-module (guix gexp) #:use-module (guix utils) #:use-module (guix packages) #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:) #:use-module (gnu) #:use-module (gnu system setuid) #:use-module (gnu system nss) #:use-module (gnu system pam) #:use-module (gnu services) #:use-module (gnu services dbus) #:use-module (gnu services pm) #:use-module (gnu services shepherd) #:use-module (gnu services authentication) #:use-module (gnu services configuration) #:use-module (gnu services vpn) #:use-module (gnu services networking) #:use-module (gnu services ssh) #:use-module (gnu services kerberos) #:use-module (gnu services desktop) #:use-module (gnu services xorg) #:use-module (gnu services base) #:use-module (gnu packages linux) #:use-module (gnu packages ssh) #:use-module (gnu packages sssd) #:use-module (gnu packages compression) #:use-module (gnu packages libedit) #:use-module (gnu packages hurd) #:use-module (gnu packages tls) #:use-module (gnu packages xorg) #:use-module (gnu packages pkg-config) #:use-module (gnu packages groff) #:use-module (gnu packages gcc) #:use-module (gnu packages commencement) #:use-module (gnu packages security-token) #:use-module (gnu packages vim) #:use-module (gnu packages certs) #:use-module (gnu packages vpn) #:use-module (gnu packages networking) #:use-module (gnu packages dns) #:use-module (gnu packages base) #:use-module (gnu packages openldap) #:use-module (gnu packages kerberos) #:use-module (gnu packages admin) #:use-module (gnu packages shells) #:use-module (gnu packages gnome) #:use-module (gnu packages wm) #:use-module (gnu packages suckless) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages terminals) #:use-module (gnu packages virtualization) #:use-module (gnu packages version-control) #:export (%domain-realm) #:export (%domain-name) #:export (%domain-kadmin) #:export (%domain-kdc) #:export (%metznet-base-user-accounts) #:export (%metznet-base-groups) #:export (%metznet-base-packages) #:export (%metznet-desktop-packages) #:export (%metznet-server-packages) #:export (%metznet-setuid-programs) #:export (%default-keyboard-layout) #:export (%kvm-udev-rule) #:export (%usb-udev-rule) #:export (%tun-udev-rule) #:export (%metznet-desktop-services) #:export (%metznet-server-services) #:export (%metznet-base-server-system) #:export (%metznet-base-desktop-system)) (define %domain-realm "METZNET.CA") (define %domain-name "metznet.ca") (define %domain-kadmin (string-append "kerberos." %domain-name)) (define %domain-kdc (string-append "kerberos." %domain-name)) (define %metznet-base-user-accounts (append (list (user-account (name "root") (group "root") (uid 0) (password (crypt "root" "$6$salt")) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (define %metznet-base-groups (append (list (user-group (system? #t) (name "realtime")) (user-group (system? #t) (name "usb"))) %base-groups)) (define %metznet-base-packages (append (list openssh nss-pam-ldapd openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages)) (define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages)) (define %metznet-server-packages (append (list isc-dhcp) %metznet-base-packages)) (define %desktop-setuid-programs (append (list (setuid-program (program #~(string-append #$openvpn "/sbin/openvpn"))) (setuid-program (program #~(string-append #$openresolv "/sbin/resolvconf")))) %setuid-programs)) (define %metznet-krb5-config (krb5-configuration (default-realm %domain-realm) (allow-weak-crypto? #t) (rdns? #f) (realms (list (krb5-realm (name %domain-realm) (admin-server %domain-kadmin) (kdc %domain-kdc)))))) (define %default-keyboard-layout (keyboard-layout "us")) (define %kvm-udev-rule (udev-rule "65-kvm.rules" "KERNEL==\"KVM\", GROUP=\"libvirt\", MODE=\"0660\"")) (define %usb-udev-rule (udev-rule "51-usb.rules" (string-append "SUBSYSTEM==\"usb\", GROUP=\"usb\"\n" "SUBSYSTEM==\"usbmisc\", GROUP=\"usb\""))) (define %tun-udev-rule (udev-rule "90-tun.rules" "KERNEL==\"tun\", GROUP=\"netdev\", MODE=\"0660\", OPTIONS+=\"static_node=net/tun\"")) (define %backlight-udev-rule (udev-rule "55-backlight.rules" "RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\"")) (define %metznet-name-service-switch (let ((services (list (name-service (name "sss")) (name-service (name "files"))))) (name-service-switch (password services) (shadow services) (group services)))) (define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so")) (define (metznet-pam-service config) (lambda (pam) (if (member (pam-service-name pam) config) (let ((sufficient (pam-entry (control "sufficient") (module pam-ldap-module))) (required (pam-entry (control "required") (module "pam_mkhomedir.so")))) (pam-service (inherit pam) (session (cons required (pam-service-account pam))) (password (cons sufficient (pam-service-account pam))))) pam))) (define (metznet-pam-services config) (list (metznet-pam-service config))) (define default-sssd-conf-file (plain-file "sssd.conf" (string-join (list "[sssd]" "domains = metznet.ca" "services = nss, sudo, pam, ssh, ifp" "" "[domain/metznet.ca]" "id_provider = ldap" "auth_provider = ldap" "cache_credentials = True" "ldap_uri = ldaps://ldap.metznet.ca" "ldap_tls_reqcert = never" "ldap_tls_cacertdir = /etc/ssl/certs" "ldap_search_base = ou=users,ou=accounts,dc=metznet,dc=ca" (string-append "ldap_default_bind_dn = " (getenv "LDAP_BINDDN")) "ldap_default_authtok_type = password" (string-append "ldap_default_authtok = " (getenv "LDAP_BINDPW"))) "\n"))) (define metznet-service-type (service-type (name 'metznet-service) (description "MetzNet Services") (extensions (list (service-extension pam-root-service-type metznet-pam-services))) (default-value '()))) (define-configuration sssd-configuration (sssd (file-like sssd) "SSSD Package to use") (config (file-like default-sssd-conf-file) "sssd.conf file")) (define (sssd-pam-service config) (define sssd-pam-module (file-append (sssd-configuration-sssd config) "/lib/security/pam_sss.so")) (lambda (pam) (if (member (pam-service-name pam) pam-service-list) (let ((sufficient (pam-entry (control "sufficient") (module sssd-pam-module)))) (pam-service (inherit pam) (auth (cons sufficient (pam-service-auth pam))) (account (cons sufficient (pam-service-account pam))) (password (cons sufficient (pam-service-password pam))) (session (cons sufficient (pam-service-session pam))))) pam))) (define (sssd-pam-services config) (list (sssd-pam-service config))) (define (sssd-shepherd-service config) (list (shepherd-service (documentation "") (provision '(sssd)) (requirement '(networking user-processes)) (start #~(make-forkexec-constructor (list (string-append #$(sssd-configuration-sssd config) "/sbin/sssd") "-i" "-d" "0x77f0") #:user "root" #:group "root" #:environment-variables (list (string-append "LD_LIBRARY_PATH=" #$(sssd-configuration-sssd config) "/lib")))) (stop #~(make-kill-destructor))))) (define %sssd-activation #~(begin (let ((dbdir "/var/lib/sss/db") (dbusdir "/var/lib/sss/pipes/private") (user (getpw "root"))) (mkdir-p/perms dbusdir user #o755) (mkdir-p/perms dbdir user #o755) (chmod "/etc/sssd/sssd.conf" #o600)))) (define (sssd-etc-service config) `(("sssd/sssd.conf" ,(sssd-configuration-config config)))) (define sssd-service-type (service-type (name 'sssd) (description "MetzNet SSSD Service") (extensions (list (service-extension pam-root-service-type sssd-pam-services) (service-extension dbus-root-service-type (compose list sssd-configuration-sssd)) (service-extension etc-service-type sssd-etc-service) (service-extension activation-service-type (const %sssd-activation)) (service-extension nscd-service-type (const (list sssd))) (service-extension shepherd-root-service-type sssd-shepherd-service))) (default-value (sssd-configuration)))) (define pam-service-list (list "su" "gdm-password" "login" "sshd" "passwd")) (define %metznet-services (list (simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh")) (service openssh-service-type (openssh-configuration (extra-content "KerberosAuthentication yes"))) (service krb5-service-type %metznet-krb5-config) (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) (service sssd-service-type) (service metznet-service-type pam-service-list))) (define %metznet-nscd-configuration (nscd-configuration (caches (append (list (nscd-cache (database 'passwd) (positive-time-to-live (* 3600 12)) (negative-time-to-live 20) (persistent? #t)) (nscd-cache (database 'group) (positive-time-to-live (* 3600 12)) (negative-time-to-live 20) (persistent? #t))) %nscd-default-caches)))) (define %metznet-desktop-services (append %metznet-services (modify-services %desktop-services (nscd-service-type config => %metznet-nscd-configuration) (elogind-service-type config => (elogind-configuration (inherit config) (handle-lid-switch-external-power 'suspend))) (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (append (list (plain-file "nonguix.pub" "(public-key (ecc (curve Ed25519) (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")) %default-authorized-guix-keys)))) (udev-service-type config => (udev-configuration (inherit config) (rules (append (list %tun-udev-rule %backlight-udev-rule) (udev-configuration-rules config))))) (network-manager-service-type config => (network-manager-configuration (inherit config) (vpn-plugins (list network-manager-openvpn))))))) (define %metznet-server-services (append %metznet-services (list (dbus-service) (service dhcp-client-service-type) (openvpn-client-service #:config (openvpn-client-configuration (openvpn openvpn) (pid-file "/var/run/openvpn/client.pid") (persist-key? #f) (tls-auth "/etc/openvpn/ta.key")))) (modify-services %base-services (nscd-service-type config => %metznet-nscd-configuration)))) (define %metznet-base-operating-system (operating-system ;; Hostname and localization information (host-name "base") (timezone "America/Edmonton") (locale "en_CA.utf8") (keyboard-layout %default-keyboard-layout) (name-service-switch %metznet-name-service-switch) ;; Kernel and firmware definitions (kernel linux) (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments)) (firmware (list linux-firmware)) (initrd microcode-initrd) ;; Grub UEFI Bootloader installed to /boot/efi (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets '("/boot/efi")) (keyboard-layout keyboard-layout))) (file-systems (cons* (file-system (mount-point "/boot/efi") (device "/dev/vda1") (type "vfat") (check? #f)) (file-system (mount-point "/") (device "/dev/vda3") (type "xfs") (check? #f)) %base-file-systems)) (users %metznet-base-user-accounts) (groups %metznet-base-groups) (packages %metznet-base-packages) (services (append %metznet-services %base-services)))) (define %metznet-base-server-system (operating-system (inherit %metznet-base-operating-system) (host-name "metznet-base-server") (packages %metznet-server-packages) (services %metznet-server-services))) (define %metznet-base-desktop-system (operating-system (inherit %metznet-base-operating-system) (host-name "metznet-base-desktop") (setuid-programs %desktop-setuid-programs) (packages %metznet-desktop-packages) (services %metznet-desktop-services)))